This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Content filter no longer working

I adjusted Default Content Filter action to prevent Nudity sites from being accessible with success a couple years ago.  However, I checked the other day, and even though my setting are still intact, I am able to access Nudity sites.  If I use the policy test option, it says "blocked" as it should.  But, again, I am able to open a browser and access Nudity sites.  This feature was working perfectly last year.  Not sure when it stopped.  Suggestions?



This thread was automatically locked due to age.
Parents
  • Patrick, show us the line from the Web Filtering log file where traffic was allowed that should have been blocked.

    Cheers - Bob
    PS Moving this to the Web Protection forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2018:07:26-06:02:23 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_filter" file="confd-client.c" line="3837" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2018:07:26-06:02:24 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_reload_func" file="confd-client.c" line="651" message="reloading config done, new version 13163"
    2018:07:26-06:07:34 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="aptp_reload" file="aptpscanner.c" line="142" message="reloading ATP pattern"
    2018:07:26-06:07:35 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="aptp_reload" file="aptpscanner.c" line="160" message="reloading ATP pattern finished"
    2018:07:26-07:02:25 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2018:07:26-07:02:26 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="parse_address" file="util.c" line="540" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2018:07:26-07:02:26 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_filter" file="confd-client.c" line="3837" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2018:07:26-07:02:26 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_reload_func" file="confd-client.c" line="651" message="reloading config done, new version 13172"
    2018:07:26-07:07:35 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="aptp_reload" file="aptpscanner.c" line="142" message="reloading ATP pattern"
    2018:07:26-07:07:37 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="aptp_reload" file="aptpscanner.c" line="160" message="reloading ATP pattern finished"
    2018:07:26-08:02:27 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"
    2018:07:26-08:02:28 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    +function="parse_address" file="util.c" line="540" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2018:07:26-08:02:28 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_filter" file="confd-client.c" line="3837" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2018:07:26-08:02:29 sophos httpproxy[3998]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)"
    function="confd_config_reload_func" file="confd-client.c" line="651" message="reloading config done, new version 13183"
     
     

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

  • This line is a problem

    failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080

    These addresses are supposed to point to UTM or point through UTM to an internet address at Sophos so that Sophos can interecept them.

     

    If you alllow the address to flow through to internet DNS, it should resolve to a non-working address at Sophos, on the assumption that it will cause the packet to flow toward your UTM where it can be intercepted.   If your UTM is not in the path to the internet, create a DNS entry that resolves that address to your UTM.

  • I think that's unrelated to Patrick's issue, Doug.  I think that's just the proxy starting and confd_config_filter complaining that IPv6 isn't activated.

    Patrick, we still haven't seen any proof that the traffic you're seeing not-blocked is even passing through Web Filtering. In fact, your log shows two hours with not one web request appearing. Is 192.168.1.137 in one of the subnets in 'Allowed Networks' for any Web Filtering Profile?  If so and that Profile is in Standard mode, is your browser configured to use the proxy?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This reply was deleted.

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

  • "I am set to standard operation mode."

    OK, so let's see what you get when you click on [Settings] at the bottom of the page 'Tools' 'Options' in Firefox.  If you have selected 'Use system proxy settings', then also show us [LAN Settings] at the bottom of the 'Connections' tab in 'Internet Options' in 'Control Panel' in Windows.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

     

    Yes on Firefox setting to 'Use system proxy settings'.  Here is the screen shot for the LAN settings:

     

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

  • The 'Automatically detect settings' selection is known to cause these problems.  You can either create an 'Automatic configuration script' or 'Use a proxy server'.  I would start with the second choice so that you can see what Exceptions you want to make under [Advanced].

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • The 'Automatically detect settings' selection is known to cause these problems.  You can either create an 'Automatic configuration script' or 'Use a proxy server'.  I would start with the second choice so that you can see what Exceptions you want to make under [Advanced].

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks Bob.  So, sounds like I need to set a proxy server on each PC on the network.  Curious why it worked perfectly before.  Well, I guess you said that it was known for causing problems.

     

    Thanks again...

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

  • Based on all that has been said, it appears that the automatic configuration mechanism stopped working, and as a result the proxy was bypassed.   Most likely, the DNS (or DHCP) entry for WPAD got deleted by accident, or a machine that was configured with DHCP switched to static IP and no longer received the WPAD data because it no longer talked to the DHCP server.

    If the UTM is inline to the internet, you need to enable Transparent Web to detect and intercept these situations.   If it is not inline, I suggest you change to a bridge mode configuration, because it allowed me to move from out-of-band to in-band without changing any addressing.  Then enable Transparent Web as backup to Standard Web

    See my post here for details of my transition to in-band, and feel free to send a Private Message if you have follow-up questions.

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/101117/optimizing-web-proxy-lessons-learned

     

  • Agreed with Doug about having the Default Profile in Transparent and a Standard-mode Profile for the same subnet.

    Configuring HTTP/S proxy access with AD SSO contains information about creating a GPO to distribute Proxy settings to everyone.

    You might be interested in a document I maintain that I make available to members of the UTM Community, Patrick, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  For German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA